Thought Leader: Jumio
Account takeover (ATO) fraud is damaging for businesses and individuals alike. And it’s on the rise, causing many enterprises to rethink authentication. Thanks to the dark web, phishing and social engineering, ATO fraud prevention is a rapidly growing challenge for online banking, payments, credit issuance, e-commerce, telecommunications and insurance.
At the same time, it’s becoming clear that commonly accepted methods for authentication, including knowledge-based authentication, SMS-based two-factor authentication and credit bureau pings, are not actually effective.
Passwords are inherently weak
Most people fall into one of two categories: they use one password for every account, or they use a slightly different password for every account. Both approaches are ineffective. Only one percent of people know and care that passwords have patterns and those patterns can be tracked or broken (Preempt, March 2017).
Today, the average business user must keep track of nearly 200 passwords. If you use the same password across multiple sites, cybercriminals may be able to take over your Gmail account and also access your online bank accounts. That’s why it shouldn’t be surprising that 80 to 90 percent of the people that log into a retailer's e-commerce site are hackers using stolen data (Shape Security, 2018 Credential Spill Report).
With this context, let’s dissect how account takeover attacks work and why modern enterprises need to rethink their authentication strategies to protect their ecosystems and mitigate fraud loss.
The growth of ATO
ATO occurs when thieves gain access to someone’s accounts, change the contact and security information and use it for some type of personal gain. In 2017, ATO cost U.S. businesses $5.1 billion, about three times as much as in 2016 and a four-year high (2018 Identity Fraud Study, Javelin Research).
With ATO, hackers can gain access to an online banking account and send funds to their own account. Frictionless payment systems are a blessing and a curse because they store billing information online, making it convenient for customers to make purchases. But, if a hacker discovers the login information, they can simply change the shipping address and start making online purchases.
How fraudsters get your account credentials
There are several ways cybercriminals can secure your account credentials, including:
Data breaches: Large-scale breaches often involve usernames and passwords, which are almost immediately made available on the dark web. Let’s look at some of the largest breaches over the last year.
Phishing attacks: Phishing attacks usually involve email, but can also be executed over the phone or via text message. The basic premise of phishing is to get you to hand over your login information. For example, a phishing email might pose as a customer support message that persuades you to click a link to a phishing site (a fake website designed to phish for information). These sites are often very realistic and prompt you to enter your login information, which is then stolen by criminals.
Phone scams: This scam usually involves a person posing as someone else, such as a Microsoft representative who convinces you that your computer has a virus and then asks you to hand over remote access to your computer. The criminal can then access any accounts you have credentials stored for. They may purport to be “testing” accounts and access them in plain sight, or they could use the remote access to install spyware.
How does account takeover work?
Once the account credentials are secured, fraudsters will try to attack login interfaces in an automated fashion and test them against other web services. By running a script against the login interface, attackers can test thousands of username and password combinations per second and find the working pairs. Once they find a “good” combination, they either take over the accounts right there and then or resell those verified credentials for a higher price on the dark web, as verified credentials are more valuable.
For sites that only require a username and password, fraudsters can easily take over the account and change the password. But if the account requires a username, password and a one-time code, or a biometrics verification, then the fraudster will need to access that information to take over the account which raises the degree of difficulty.
Several years ago, NIST warned that SMS-based two-factor authentication was not as secure as other authentication schemes because of man-in-the-middle attacks, phishing and credential stuffing.
Since the dark web and online fraud have become more sophisticated, traditional forms of authentication can no longer reliably ensure that the person logging into their online account is the actual account owner. Physical biometrics, on the other hand, are much harder to access for the average fraudster.
Face-based authentication to the rescue
Face-based biometric authentication is not only far more convenient for consumers than traditional methods of online verification, but it is also much more secure. The biometric data cannot be hacked or duplicated. The data can be kept on the device, rather than on a server or in the cloud, and can remain secure even if the device is stolen. Just as important, facial biometrics offers a simple one-step solution to the problem of remembering a vast array of PIN codes and passwords.
Given our collective obsession with our smartphones, it’s not surprising that face-based biometrics are becoming the most popular method of authentication thanks in large part to Apple’s Face ID.
How face-based authentication works
There are several methods of emerging biometric-based authentication, so let me briefly explain Jumio’s approach to face-based authentication to paint a picture of how this works in practice. This new approach starts with the new user capturing their government-issued ID and a selfie when they’re creating a new online account. The picture on the ID document is then compared to the selfie to deliver a definitive match/no match decision. As part of the identity proofing process, a face-based authentication solution can create a 3D face map of the user, which is then stored and bound to the new customer during the initial enrollment process. 3D face-mapping contains 100 times more data points than a 2D photo, and is required to accurately recognize the correct user’s face while concurrently verifying their human liveness.
More advanced solutions will include liveness detection during this step. Spoofing attacks by fraudsters are on the rise to fool the selfie requirement. Spoofing attempts generally use a photo, video or a different substitute for an authorized person’s face in order to acquire someone else’s privileges or access rights. To foil these attempts, modern identity verification companies leverage certified liveness detection that captures biometric data through a smartphone’s front-facing selfie camera or a computer’s webcam.
Now, let’s assume authentication is now required for account access. Instead of relying on a username and password, the user only needs to capture a new selfie. Because a complete face map was captured when the account was created, the user just needs to take a fresh selfie (one close up and one a little further away). A new face map is then compared to the original 3D face map captured during enrollment and a match/no match decision is made. This authentication process takes just seconds to complete.
This type of authentication enables online businesses to reliably authenticate users for regular logins, high-risk transactions and for a variety of emerging use cases. And most importantly, it nullifies the risk of ATO since it does not rely on a username and password which could have easily been stolen.
Time to say goodbye to the password
Unless banks and payments companies make a concerted effort to address account takeovers, they will continue to be victimized. Fraudsters can not only divert funds through account takeovers, but they can also access other data like personal information and card numbers to inflict even more damage on consumers and the financial institutions they trust. Because ATO fraud looks like activity by a trusted customer, detection is difficult.
This demands a fresh perspective. It means moving away from the username and password approach to user authentication. While we may be a few years away from killing the password, we’re starting to see the increased adoption of face-based authentication in the payments and financial services space. Biometric authentication not only gives your customers greater peace of mind, it’s a powerful disincentive to fraudsters who generally don’t want to share their own photo or selfie or go through a liveness check.
With biometric authentication, the risks are just too high for the fraudster. Face-based authentication is a breeze for legitimate users but creates multiple hurdles for scammers who more often than not, will chaser easier targets - targets that still rely on a simple username and password form of authentication.
About Philipp Pointner
Philipp serves as Chief Product Officer at Jumio, the leading provider of ID verification technology and services for financial services, travel, sharing economy, gaming and cryptocurrency sectors. A product visionary and leader in the global financial services and e-commerce spaces, Philipp has successfully led products for over a decade. He is a frequent speaker at conferences and meet-ups, sharing his passion for product leadership, product management, strategy and vision development.
Jumio helps organizations meet regulatory compliance including KYC, AML and GDPR through cutting-edge online identity verification and authentication services that quickly and accurately connect a person’s online and real-world identities. Jumio has verified more than 180 million identities issued by over 200 countries from real time web and mobile transactions.